D3.7 A Structured Collection on Information and Literature on Technological and Usability Aspects of Radio Frequency Identification (RFID)

Untitled THREATS

Eavesdropping 

The communication between reader and transponder via the air interface can be monitored by intercepting and decoding the radio signals. This is one of the most specific threats to RFID systems. The eavesdropped information could for example be used to collect privacy sensitive information about a person.  

Security measures for eavesdropping 

An effective measure to reduce the effect of eavesdropping is to shift all data to the backend. However shifting data (e.g. biometrics) to a central database may bring some new privacy concerns and raises new security issues related to database protection.  

More advanced tags have a module to encrypt the communication with the reader which also prevents eavesdropping. Another measure would be to design the RFID system such that tags are used with a small range which is just sufficient for the legitimate readers (and thereby shutting out a class of unauthorised readers). 

Related costs 

To perform eavesdropping, the attacker would have to acquire a suitable reader. Due to the short range involved the possibility of this attack is limited, however it can be performed from much greater distance than standard range of communication. On the other hand when attacker wants to eavesdrop communication from distance significantly greater than standard range, cost of attack increases. 

A cheap and effective way to prevent eavesdropping is to use some kind of shielding of the tag, although this would have to be performed for every tag. When the tag has an encryption method available, the costs of switching it on are low; most expenses would go in the management of tags and readers which have to be loaded with cryptographic keys. To shift all data on the tag to the backend requires a new infrastructure (in the backend and for provisioning of the tags and readers) which brings high initial costs, but will fade out later. 

Blocking 

So-called blocker tags simulate to the reader the presence of any number of tags, thereby blocking the reader. A blocker tag must be configured for the respective anti-collision protocol that is used and for some protocols blocking is not possible. It is worth noting that blocker tag can be also a tool for protecting privacy (Juels, Rivest, Szydlo 2003) which does not allow the reader to read specific tags. 

Security measures for blocking 

Appropriate law regulations could be helpful (however obviously some attackers do not follow rules). Blocking can be prevented by using specific protocols. 

Related costs 

A blocker tag is relatively cheap and can prevent a reader from working properly, although they only work for specific anti-collision procedures. Price of using protocol which does not allow for blocking depends on implementation. 

Jamming 

Jamming means a deliberate attempt to disturb the air interface between reader and tag and thereby attacking the integrity or the availability of the communication. This could be achieved by powerful transmitters at a large distance, but also through more passive means such as shielding. As the air interface is not very robust, even simple passive measures can be very effective.  

Security measures for jamming 

It is possible to detect jamming transmitters by performing random measurements or by using permanently installed field detectors. 

Related costs  

A jamming transmitter has to be powerful enough to jam the tag-reader interface, and it requires some technical experience. The further the range, the more expensive the transmitter. 

A field detector to detect possible jamming transmitters is a dedicated device, and measurements are performed by skilled engineers. 

Relay attack 

A relay attack (Kfir, Wool 2005) for contactless cards is similar to the well known man-in-the-middle attack. A device is placed in between the reader and the tag such that all communication between reader and tag goes through this device, while both tag and reader think they are communicating directly to each other. Smartly modifying this communication could for example in payment systems lead to charging the wrong electronic wallet (a smart card with an RFID tag). To make this attack more practical one could increase the distance between the legitimate card and the victim’s card by splitting the device into two components, one communicating with the reader, and one with the victim’s card. The communication between these two components could be implemented by any kind of fast wireless technology.  

Security measures for relay attacks 

One way to guard against relay attacks is to shield the tag when it’s not used e.g. by putting the tagged card in a Faraday like cage (Kfir, Wool 2005). Another way is to require an additional action by the user (push a button, type in a PIN code or other authentication procedures) to activate the tagged card, although this solution eliminates some of the convenience of the contactless system. In addition the communication between tag and reader can be encrypted properly.  

Related costs 

To perform a relay attack requires a special device to intercept and modify the radio signal, and especially the communication between the two main components would be sophisticated. 

To place the smart card in a Faraday save holder is relatively easy to do. An extra action by the user before activating the smart card and encryption require a more sophisticated card and/or reader.